In one of our portals, I am testing one page which prompts user to upload his/her documents required for verification. However, I am able to upload batch or executable files which is incorrect I believe.

However, our BA's has approved this thing.

Please provide your comments/feedback on this bug as I believe it is vulnerable thing for our portal.

5 Answers
5

Do your functional requirements indicate what types of files are permitted to be uploaded, and what types are not?

Do you have formal security requirements? Or is it just your sense that uploading executables or batch files is a bad thing to allow?

Your BA approved this. Did she say why it should be permitted?

What happens in your portal when an executable is uploaded? What is involved with this "for verification" step?

In some contexts, uploading executable files would be a bad thing. In some environments (a file sharing site perhaps) it might be essential. Understanding the context in which you are testing should be an early step in your testing of this feature.

Furthermore, if this is absolutely a requirement, there are definitely ways to mitigate most of the risks such as user accounts, storage method, and storage location.
–
Lyndon VroomanNov 12 '12 at 16:00

Context is everything... what is the nature of the site (public/private, and purpose) and the definition of "executable" is quite broad, and should extend beyond the obvious bat, exe and com.

For example, most vulnerabilities in many common web-applications (e.g. WordPress, osCommerce, Joomla) are/were because folders were left write-enabled and/or file-upload was enabled, allowing dubious characters to upload their own PHP scripts for malicious purposes.

If your site is public facing, or even if private, I would suggest that uploading executable files is questionable.

Our website is public portal providing insurance solutions to people. That is why i tried to convince the BA's. Also, I had word with our technical manager but he said "If any exe. or sh. file or any other file is uploaded, we have implemented interceptor concept." So, all I did had to node yes.
–
GrvJan 25 '13 at 5:27

@GauravKhanna - all I can say is: You have some problems :-(
–
AndrewJan 25 '13 at 6:03

As a tester part of your job is to provide information and to advise others (BAs, Developers, Managers etc.) about the state of the system and any potential risks. With this in mind, what I'd do in your situation is to research examples of this problem and the potential effects. To appear more credible you could outline best case scenarios (e.g. distribution of viruses to other website users and/or the company IT system, but no actual damage to the website or the server it runs on) and worst case scenarios (e.g. data loss, leaking of private information and credentials), then give your professional opinion on which of these scenarios is the most likely.

It may also be beneficial to find colleagues who agree with your point of view and ask them to give their opinion on the potential risks. In comment to someone else's answer you mentioned that your Technical Manager was confident that there are measures in place to mitigate this risk. It may be beneficial to find out what these measures are and if there are any known weaknesses/attack vectors to counteract them.

At the end of the day though it's not your decision if this 'feature' is left in place. As long as you've raised your concerns to the best of the ability it's not your responsibility if bad things happen down the road. But to cover your back I would get confirmation in writing from the BA that your concerns have been noted and understood.

Allowing .bat and .exe files to be uploaded is a serious security risk. I certainly don't know what your architecture is, but in general allowing executable files to be uploaded by a user is an open door for malicious attacks.